Airplane Takeover Demonstrated Via Android App

Software hack allows security researcher to take control of aircraft navigation and other systems; avionics manufacturers emphasize that the presentation exploited training software.

The avionics systems used in some commercial aircraft are vulnerable to being fed bogus data, which would allow an attacker to take control of navigation systems, relay fake information to pilots' displays and adjust other systems, such as deploying oxygen masks for passengers.

That warning was delivered by Hugo Teso, a researcher at security consultancy N.Runs in Germany who's also a commercial airline pilot, at this week's Hack In The Box conference in Amsterdam.

Using an Android application he developed, dubbed PlaneSploit, Teso employed a Samsung Galaxy smartphone to demonstrate how he could adjust the heading, altitude and speed of a virtual airplane by sending it false navigation data. "You can use this system to modify approximately everything related to the navigation of the plane," Teso toldForbes. "That includes a lot of nasty things."

But Teso added that even if a plane did receive and act on spoofed navigation data, a pilot would be able to override the automated controls and take direct control of the aircraft.

According to Teso's Hack In The Box presentation, his research goal has been to successfully exploit an aircraft's flight management system (FMS), which is the computer-human interface in a plane that used for navigation, flight planning, performance computations and related activities. So for the past three years, he's been auditing code and testing for FMS vulnerabilities using hardware and software from Honeywell, Rockwell Collins and Thales, procured largely via eBay.

The vulnerabilities he exploited in his presentation relate to ACARS (Aircraft Communications Addressing and Reporting System), which is used for exchanging text messages between aircraft and ground stations via radio (VHF) or satellite, he said in a blog post previewing his presentation. Notably, ACARS messages aren't authenticated, and thus could be spoofed. "ACARS has no security at all. The airplane has no means to know if the messages it receives are valid or not," Teso said. "So they accept them and you can use them to upload data to the airplane that triggers these vulnerabilities. And then it's game over."

Teso hasn't publicly detailed the precise vulnerabilities he used to craft his attack code, which he dubbed SIMON, but said he's disclosed the flaws to the Federal Aviation Administration and the European Aviation Safety Administration (EASA), as well as to businesses in the aerospace industry that may be affected.

Honeywell spokesman Scott Sayres said that his company is already working with N.Runs to review Teso's research, but downplayed the real-world implications. "If we talk very generically -- not just about Honeywell software -- PC FMS software is normally available as an online pilot training aid," Sayres said via phone. "In other words, what Teso did was hack a PC-based training version of FMS that's used to simulate the flight environment, not the actual certified flight software installed on an aircraft."

EASA said that it's been in contact with Teso, but likewise emphasized that training software isn't the same as certified flight software. "This presentation was based on a PC training simulator and did not reveal potential vulnerabilities on actual flying systems," said spokesman Jeremie Teahan via email. "There are major differences between PC-based training FMS software and embedded FMS software. In particular, the FMS simulation software does not have the same overwriting protection and redundancies that is included in the certified flight software."

"For more than 30 years now, the development of certifiable embedded software has been following strict guidance and best practices that include in particular robustness that is not present on ground-based simulation software," he said.

An FAA official said the agency plans to release a related statement later today.

A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)

Thanks for your comment. What wasn't clear, based on Teso's published research, was whether the FMS could be spoofed to alter data to which the autopilot system might react, or if it would just mess with information that the pilot might be reading and then acting on.

Teso hasn't released publicly full details of the vulnerabilities he said he discovered. So it might take a little while for avionics firms to work through the information, test systems, and report back.

But you raise an excellent point: a text messaging system (unencrypted to boot) shouldn't be allowed to interface or alter in any way an FMS, and hopefully this is an open and shut case, and the bugs identified by Teso -- who studied secondhand FMS hardware and software -- don't exist in certified flight systems.

I'm a little confused by this article. I worked on ACARS processing in a Flight Ops context at a major airline for over a decade, mainly on the software on the ground side which both generated and received/processed ACARS requests of various types, and ACARS (at least 10 years ago) simply did not have that level of integration with the avionics.

You could send all sorts of specialized text messages up and down from an ACARS terminal in the cockpit, and you could do a few interactive things on A3xx ships like trigger enroute reports about engine conditions, receive Fuel On Board reports and OOOI events, etc., but at least in our case the ACARS system wasn't involved in any way, shape, or form with the changing of anything at all on the aircraft.

We sent wx updates, takeoff and landing performance numbers, and a lot of other technical information relevant for the flight crew, but those were simply read by the flight crew and then acted upon as any other input would be acted upon. There was no direct interface to the flight controls, only a human interface, and I can't really fathom why one would possibly want to take that any further.

As with most of these type of blog attacks, a real attack of the class is impractical and the severity is over-hyped. As all of us who work in safety critical systems know, risk is defined as probability * severity and this attack is both low probability and low severity, therefore low risk.

This was a great PoC (proof of concept), but the amount of work requiredto actually perform this in real life on a real aircraft is a lot morecomplex than Hugo has led people to believe.

Some important bits of information; they did not testthe attack on a real aircraft with real systems. The system used tovalidate the exploit is a simulation version of the FMS code (similarityto the embedded one has to be investigated). The G«£full controlG«• claimis not valid, there is no way to engage the autopilot from the FMS. Ofcourse, when engaged in G«£managed modeG«• the A/C will follow the FMS.

The aviation industry has known about this particular presentation for a while now.

Other things to consider are that the pilots would quickly realizesomething is wrong, since their printed flight plan would not matchwhat is in the FMS. ATC would be squawking all over the place tryingto determine why is the airplane deviating for its flight plan, etc.

All in all this makes for some great headlines and talking point for bobbing heads and arm chair experts, that's about all.

That being said, both ADS-B and ACARS could use some protocol strengthening up though.

So in addition to telling every terrorist in the world that he knows how to take over an airplane and fly it into a world trade center from a seat, Hugo Teso now names the app. I am guessing that he will next auction off the thing to the highest bidder from the Mid East!

This guy should be treated just as if he had worked in Oak Ridge and for kicks decided to use the knowledge gained from his job to build a nuclear bomb in his garage. Somebody had better know where this fellow is at all times, who he has talked to and where every piece of information is stored. This is not just embarrassing Wikileaks -- If he is not just bragging, he can repeat 9/11! Why is he still walking the streets?

Actually pilots often crosscheck their instruments during flight so any changes would be caught rather quickly and pilots can fly without navigation data with the help of air traffic control along with the use of VOR's if worst comes to worst.

The remark about the pilot being able to disengage and fly the plane manually is not very reassuring. The pilot can fly the plan manually, but what about the navigation data? What if a spoofer just quietly adjusts the actual altitude by a 100 feet here and 100 feet there. Would the pilot even notice? He could easily be flying 1000 ft or 2000 ft lower than he thinks he is.

I cannot believe that these messages are not encrypted. Yikes. We encrypt home WiFi networks to keep our info private, but not aircraft communication?

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.